Re: pg_hba.conf

Поиск
Список
Период
Сортировка
От Tom Lane
Тема Re: pg_hba.conf
Дата
Msg-id 9543.1109085518@sss.pgh.pa.us
обсуждение исходный текст
Ответ на Re: pg_hba.conf  (Bruno Wolff III <bruno@wolff.to>)
Ответы Re: pg_hba.conf  (Dick Davies <rasputnik@hellooperator.net>)
Список pgsql-admin
Bruno Wolff III <bruno@wolff.to> writes:
> The host entry is the one that applies. But the host entry will allow either
> ssl or nonssl, so it doesn't do what you want without cooperation from the
> connecting client. You can use hostnossl to match without allowing ssl.
> You will also want to use a hostssl line with 'reject' authentication
> to keep the later rule from matching. I am not sure if all of the normal
> clients will fallback after trying ssl to not using ssl. That should be
> pretty easy to test though.

Perhaps easier would be to set "PGSSLMODE=allow" (or even "disable") in
the client environment.  This will work for libpq-based clients; there
may be something equivalent if you are using other software.

The important point here is that it's the client's choice whether to try
an SSL connection first or not, and libpq defaults to trying SSL first.
So unless you set up pg_hba.conf to actively reject SSL-based
connections, that's what you're going to get.

Also: why aren't you just using a Unix socket?  We never do SSL over
Unix sockets.

            regards, tom lane

В списке pgsql-admin по дате отправления:

Предыдущее
От: Bruno Wolff III
Дата:
Сообщение: Re: postgres user, forgotten password
Следующее
От: Zouari Fourat
Дата:
Сообщение: psql work but not phppgadmin neither pgadmin3